update to 0.3.1:

- use passive ftp by default, don't retry on failure [1]
- add a -C flag, portlint style
- don't keep databases that are tool old [2]

Requested by:	hubs [1]
Noticed by:	Nicolas Rachinsky <nicolas@rachinsky.de> [2]

ports-mgmt/portaudit/Makefile

@@ -6,7 +6,7 @@
 #
 
 PORTNAME=	portaudit
-PORTVERSION=	0.3
+PORTVERSION=	0.3.1
 CATEGORIES=	security
 DISTFILES=
 
@@ -28,7 +28,7 @@ SED_SCRIPT=	-e 's,%%PREFIX%%,${PREFIX},g' \
 		-e 's,%%DATABASEDIR%%,${DATABASEDIR},g'
 
 PKG_INFO_BASE?=	/usr/sbin/pkg_info
-BASEPKGVER!=	${PKG_INFO_BASE} -qP 2>/dev/null
+BASEPKGVER!=	${PKG_INFO_BASE} -qP 2>/dev/null || ${TRUE}
 
 .if ${BASEPKGVER} < 20040125
 RUN_DEPENDS=	${LOCALBASE}/sbin/pkg_info:${PORTSDIR}/sysutils/pkg_install-devel

ports-mgmt/portaudit/files/portaudit-cmd.sh

@@ -1,4 +1,4 @@
-#!/bin/sh -ef
+#!/bin/sh -e
 #
 # Copyright (c) 2004 Oliver Eikemeier. All rights reserved.
 #
@@ -35,6 +35,9 @@
 portaudit_confs
 
 opt_audit=false
+opt_auditcwd=false
+opt_audittree=false
+opt_verbose=false
 opt_version=false
 opt_dbversion=false
 opt_fetch=false
@@ -44,25 +47,31 @@ if [ $# -eq 0 ] ; then
 	opt_audit=true
 fi
 
-while getopts aVdFq opt; do
+while getopts aACvVdFq opt; do
 	case "$opt" in
 	a)
 		opt_audit=true;;
+	A)
+		opt_audittree=true;;
+	C)
+		opt_auditcwd=true;;
 	d)
 		opt_dbversion=true;;
 	F)
 		opt_fetch=true;;
 	q)
 		opt_quiet=true;;
+	v)
+		opt_verbose=true;;
 	V)
 		opt_version=true;;
 	?)
-		echo "Usage: $0 -adFqV"
+		echo "Usage: $0 -aACvVdFq"
 		exit 2;;
 	esac
 done
 
-shift $(($OPTIND - 1))
+shift $((${OPTIND}-1))
 
 if $opt_version; then
 	echo "portaudit version %%PORTVERSION%%"
@@ -81,10 +90,56 @@ if $opt_dbversion; then
 		echo "portaudit: database corrupt."
 		exit 2
 	fi
-	echo "database created: `getcreated_auditfile`"
+	created=`getcreated_auditfile`
+	echo "database created: `/bin/date -j -f '%Y-%m-%d %H:%M:%S %Z' \"${created} GMT\"`"
 fi
 
 if $opt_audit; then
 	portaudit_prerequisites
 	audit_installed || true
 fi
+
+if $opt_auditcwd; then
+	portaudit_prerequisites
+	audit_cwd
+fi
+
+if $opt_audittree; then
+	echo "auditing ports tree for known vulnerabilities"
+	VULCNT=0
+
+	portaudit_prerequisites
+
+	cd "${PORTSDIR:=/usr/ports}"
+	CATEGORIES=`echo [a-z]*`
+
+	for category in ${CATEGORIES}; do
+		if [ ! -d "${PORTSDIR}/${category}" ]; then continue; fi
+		case "${category}" in
+			CVS) continue ;;
+			Mk) continue ;;
+			Templates) continue ;;
+			Tools) continue ;;
+			distfiles) continue ;;
+			packages) continue ;;
+		esac
+
+		$opt_quiet || echo "==> ${category}"
+
+		cd "${PORTSDIR}/${category}"
+		PORTS=`echo *`
+
+		for port in ${PORTS}; do
+			if [ ! -d "${PORTSDIR}/${category}/${port}" ]; then continue; fi
+			case "${port}" in
+				pkg) continue ;;
+				CVS) continue ;;
+			esac
+
+			cd "${PORTSDIR}/${category}/${port}"
+			audit_cwd;
+		done
+	done
+
+	echo "${VULCNT} ports with unmarked vulnerabilities."
+fi

ports-mgmt/portaudit/files/portaudit.1

@@ -43,6 +43,8 @@
 .
 .Nm
 .Op Fl a
+.Op Fl A
+.Op Fl C
 .Op Fl V
 .Op Fl d
 .Op Fl F
@@ -74,6 +76,11 @@ The following options are supported:
 .Bl -tag -width ".Fl X"
 .It Fl a
 Print a vulnerability report for all installed packages
+.It Fl A
+Print a vulnerability report for all ports in PORTSDIR (slow).
+.It Fl C
+Print a vulnerability report for the port in the current working directory.
+Mostly useful for committers.
 .It Fl F
 Fetch the current database from the
 .Fx servers
@@ -118,7 +125,7 @@ Print a vulnerability report for all installed packages:
 .Sh CAVEATS
 .
 The format of
-.Pa %%DATABASEDIR%%/auditfile.tbz
+.Pa %%PREFIX%%/etc/portaudit.conf
 might change.
 .
 .

ports-mgmt/portaudit/files/portaudit.conf

@@ -10,10 +10,10 @@
 #FETCH_ENV="FTP_PROXY=http://ftp.proxy.sample/ HTTP_PROXY=http://http.proxy.sample:80/"
 
 # default fetch command
-#FETCH_CMD="/usr/bin/fetch -1am"
+#FETCH_CMD="/usr/bin/fetch -1m"
 
-# uncoment to use passive ftp, see fetch(1)
-#FETCH_BEFORE_ARGS="-p"
+# use passive ftp transfers with extra verbose mode, see fetch(1)
+#FETCH_BEFORE_ARGS="-p -vvv"
 
 #FETCH_AFTER_ARGS=
 

ports-mgmt/portaudit/files/portaudit.functions

@@ -37,8 +37,8 @@ portaudit_confs()
 	portaudit_filename=${portaudit_filename:-"auditfile.tbz"}
 
 	FETCH_ENV=${FETCH_ENV:-}
-	FETCH_CMD=${FETCH_CMD:-"/usr/bin/fetch -1am"}
-	FETCH_BEFORE_ARGS=${FETCH_BEFORE_ARGS:-}
+	FETCH_CMD=${FETCH_CMD:-"/usr/bin/fetch -1m"}
+	FETCH_BEFORE_ARGS=${FETCH_BEFORE_ARGS:-"-p"}
 	FETCH_AFTER_ARGS=${FETCH_AFTER_ARGS:-}
 
 	MASTER_SITES=${MASTER_SITES:-"
@@ -80,6 +80,12 @@ checksum_auditfile()
 }
 
 getcreated_auditfile()
+{
+	extract_auditfile |
+		/usr/bin/sed -nEe '1s/^#CREATED: *([0-9]{4})-?([0-9]{2})-?([0-9]{2}) *([0-9]{2}):?([0-9]{2}):?([0-9]{2}).*$/\1-\2-\3 \4:\5:\6/p'
+}
+
+gettimestamp_auditfile()
 {
 	extract_auditfile |
 		/usr/bin/sed -nEe '1s/^#CREATED: *([0-9]{4})-?([0-9]{2})-?([0-9]{2}).*$/\1\2\3/p'
@@ -87,7 +93,7 @@ getcreated_auditfile()
 
 checkexpiry_auditfile()
 {
-	created=`getcreated_auditfile`
+	created=`gettimestamp_auditfile`
 	expiry=`/bin/date -u -v-$1d '+%Y%m%d'`
 	[ "${created}" -ge "${expiry}" ];
 }
@@ -95,13 +101,15 @@ checkexpiry_auditfile()
 portaudit_prerequisites()
 {
 	if [ -z "${PKG_INFO}" ]; then
-		if [ -x %%LOCALBASE%%/sbin/pkg_info ]; then
-			PKG_INFO=%%LOCALBASE%%/sbin/pkg_info
+		if [ -x "%%LOCALBASE%%/sbin/pkg_info" ]; then
+			PKG_INFO="%%LOCALBASE%%/sbin/pkg_info"
 		else
-			PKG_INFO=/usr/sbin/pkg_info
+			PKG_INFO="/usr/sbin/pkg_info"
 		fi
 	fi
 
+	PKG_VERSION="${PKG_INFO%/*}/pkg_version"
+
 	if [ ! -x "${PKG_INFO}" ]; then
 		echo "${PKG_INFO} missing, please install port sysutils/pkg_install-devel"
 		return 1
@@ -155,6 +163,36 @@ audit_installed()
 	"
 }
 
+audit_cwd()
+{
+	if [ ! -r "Makefile" ]; then
+		return 1
+	fi
+
+	PKGSTATE=`/usr/bin/make -VPKGNAME -VFORBIDDEN -VPKGORIGIN 2>/dev/null || true"`
+	PKGNAME=`echo "${PKGSTATE}" | /usr/bin/sed -ne '1p'`
+	FORBIDDEN=`echo "${PKGSTATE}" | /usr/bin/sed -ne '2p'`
+	PKGORIGIN=`echo "${PKGSTATE}" | /usr/bin/sed -ne '3p'`
+
+	VLIST=`extract_auditfile | /usr/bin/awk -F\| " \
+		/^[^#]/ { \
+		if (!system(\"${PKG_VERSION} -T '${PKGNAME}' '\" \\$1 \"'\")) \
+			print \"- <\" \\$2 \">\" \
+		} \
+	"`
+
+	if [ -n "${VLIST}" -a -z "${FORBIDDEN}" ]; then
+		echo
+		echo "Port ${PKGNAME} (${PKGORIGIN}) should be marked FORBIDDEN:"
+		echo "${VLIST}"
+		VULCNT=$((${VULCNT}+1))
+	elif $opt_verbose && [ -n "${VLIST}" ]; then
+		echo
+		echo "Good: port ${PKGNAME} (${PKGORIGIN}) is marked FORBIDDEN: ${FORBIDDEN}"
+		echo "${VLIST}"
+	fi
+}
+
 fetch_locations()
 {
 	# site sort order is not overly smart
@@ -204,7 +242,6 @@ fetch_auditfile()
 			echo "fetched database corrupt."
 		elif ! checkexpiry_auditfile 7; then
 			echo "fetched database too old."
-			rc=0
 		else
 			echo "new database installed."
 			rc=0

security/portaudit/Makefile

@@ -6,7 +6,7 @@
 #
 
 PORTNAME=	portaudit
-PORTVERSION=	0.3
+PORTVERSION=	0.3.1
 CATEGORIES=	security
 DISTFILES=
 
@@ -28,7 +28,7 @@ SED_SCRIPT=	-e 's,%%PREFIX%%,${PREFIX},g' \
 		-e 's,%%DATABASEDIR%%,${DATABASEDIR},g'
 
 PKG_INFO_BASE?=	/usr/sbin/pkg_info
-BASEPKGVER!=	${PKG_INFO_BASE} -qP 2>/dev/null
+BASEPKGVER!=	${PKG_INFO_BASE} -qP 2>/dev/null || ${TRUE}
 
 .if ${BASEPKGVER} < 20040125
 RUN_DEPENDS=	${LOCALBASE}/sbin/pkg_info:${PORTSDIR}/sysutils/pkg_install-devel

security/portaudit/files/portaudit-cmd.sh

@@ -1,4 +1,4 @@
-#!/bin/sh -ef
+#!/bin/sh -e
 #
 # Copyright (c) 2004 Oliver Eikemeier. All rights reserved.
 #
@@ -35,6 +35,9 @@
 portaudit_confs
 
 opt_audit=false
+opt_auditcwd=false
+opt_audittree=false
+opt_verbose=false
 opt_version=false
 opt_dbversion=false
 opt_fetch=false
@@ -44,25 +47,31 @@ if [ $# -eq 0 ] ; then
 	opt_audit=true
 fi
 
-while getopts aVdFq opt; do
+while getopts aACvVdFq opt; do
 	case "$opt" in
 	a)
 		opt_audit=true;;
+	A)
+		opt_audittree=true;;
+	C)
+		opt_auditcwd=true;;
 	d)
 		opt_dbversion=true;;
 	F)
 		opt_fetch=true;;
 	q)
 		opt_quiet=true;;
+	v)
+		opt_verbose=true;;
 	V)
 		opt_version=true;;
 	?)
-		echo "Usage: $0 -adFqV"
+		echo "Usage: $0 -aACvVdFq"
 		exit 2;;
 	esac
 done
 
-shift $(($OPTIND - 1))
+shift $((${OPTIND}-1))
 
 if $opt_version; then
 	echo "portaudit version %%PORTVERSION%%"
@@ -81,10 +90,56 @@ if $opt_dbversion; then
 		echo "portaudit: database corrupt."
 		exit 2
 	fi
-	echo "database created: `getcreated_auditfile`"
+	created=`getcreated_auditfile`
+	echo "database created: `/bin/date -j -f '%Y-%m-%d %H:%M:%S %Z' \"${created} GMT\"`"
 fi
 
 if $opt_audit; then
 	portaudit_prerequisites
 	audit_installed || true
 fi
+
+if $opt_auditcwd; then
+	portaudit_prerequisites
+	audit_cwd
+fi
+
+if $opt_audittree; then
+	echo "auditing ports tree for known vulnerabilities"
+	VULCNT=0
+
+	portaudit_prerequisites
+
+	cd "${PORTSDIR:=/usr/ports}"
+	CATEGORIES=`echo [a-z]*`
+
+	for category in ${CATEGORIES}; do
+		if [ ! -d "${PORTSDIR}/${category}" ]; then continue; fi
+		case "${category}" in
+			CVS) continue ;;
+			Mk) continue ;;
+			Templates) continue ;;
+			Tools) continue ;;
+			distfiles) continue ;;
+			packages) continue ;;
+		esac
+
+		$opt_quiet || echo "==> ${category}"
+
+		cd "${PORTSDIR}/${category}"
+		PORTS=`echo *`
+
+		for port in ${PORTS}; do
+			if [ ! -d "${PORTSDIR}/${category}/${port}" ]; then continue; fi
+			case "${port}" in
+				pkg) continue ;;
+				CVS) continue ;;
+			esac
+
+			cd "${PORTSDIR}/${category}/${port}"
+			audit_cwd;
+		done
+	done
+
+	echo "${VULCNT} ports with unmarked vulnerabilities."
+fi

security/portaudit/files/portaudit.1

@@ -43,6 +43,8 @@
 .
 .Nm
 .Op Fl a
+.Op Fl A
+.Op Fl C
 .Op Fl V
 .Op Fl d
 .Op Fl F
@@ -74,6 +76,11 @@ The following options are supported:
 .Bl -tag -width ".Fl X"
 .It Fl a
 Print a vulnerability report for all installed packages
+.It Fl A
+Print a vulnerability report for all ports in PORTSDIR (slow).
+.It Fl C
+Print a vulnerability report for the port in the current working directory.
+Mostly useful for committers.
 .It Fl F
 Fetch the current database from the
 .Fx servers
@@ -118,7 +125,7 @@ Print a vulnerability report for all installed packages:
 .Sh CAVEATS
 .
 The format of
-.Pa %%DATABASEDIR%%/auditfile.tbz
+.Pa %%PREFIX%%/etc/portaudit.conf
 might change.
 .
 .

security/portaudit/files/portaudit.conf

@@ -10,10 +10,10 @@
 #FETCH_ENV="FTP_PROXY=http://ftp.proxy.sample/ HTTP_PROXY=http://http.proxy.sample:80/"
 
 # default fetch command
-#FETCH_CMD="/usr/bin/fetch -1am"
+#FETCH_CMD="/usr/bin/fetch -1m"
 
-# uncoment to use passive ftp, see fetch(1)
-#FETCH_BEFORE_ARGS="-p"
+# use passive ftp transfers with extra verbose mode, see fetch(1)
+#FETCH_BEFORE_ARGS="-p -vvv"
 
 #FETCH_AFTER_ARGS=
 

security/portaudit/files/portaudit.functions

@@ -37,8 +37,8 @@ portaudit_confs()
 	portaudit_filename=${portaudit_filename:-"auditfile.tbz"}
 
 	FETCH_ENV=${FETCH_ENV:-}
-	FETCH_CMD=${FETCH_CMD:-"/usr/bin/fetch -1am"}
-	FETCH_BEFORE_ARGS=${FETCH_BEFORE_ARGS:-}
+	FETCH_CMD=${FETCH_CMD:-"/usr/bin/fetch -1m"}
+	FETCH_BEFORE_ARGS=${FETCH_BEFORE_ARGS:-"-p"}
 	FETCH_AFTER_ARGS=${FETCH_AFTER_ARGS:-}
 
 	MASTER_SITES=${MASTER_SITES:-"
@@ -80,6 +80,12 @@ checksum_auditfile()
 }
 
 getcreated_auditfile()
+{
+	extract_auditfile |
+		/usr/bin/sed -nEe '1s/^#CREATED: *([0-9]{4})-?([0-9]{2})-?([0-9]{2}) *([0-9]{2}):?([0-9]{2}):?([0-9]{2}).*$/\1-\2-\3 \4:\5:\6/p'
+}
+
+gettimestamp_auditfile()
 {
 	extract_auditfile |
 		/usr/bin/sed -nEe '1s/^#CREATED: *([0-9]{4})-?([0-9]{2})-?([0-9]{2}).*$/\1\2\3/p'
@@ -87,7 +93,7 @@ getcreated_auditfile()
 
 checkexpiry_auditfile()
 {
-	created=`getcreated_auditfile`
+	created=`gettimestamp_auditfile`
 	expiry=`/bin/date -u -v-$1d '+%Y%m%d'`
 	[ "${created}" -ge "${expiry}" ];
 }
@@ -95,13 +101,15 @@ checkexpiry_auditfile()
 portaudit_prerequisites()
 {
 	if [ -z "${PKG_INFO}" ]; then
-		if [ -x %%LOCALBASE%%/sbin/pkg_info ]; then
-			PKG_INFO=%%LOCALBASE%%/sbin/pkg_info
+		if [ -x "%%LOCALBASE%%/sbin/pkg_info" ]; then
+			PKG_INFO="%%LOCALBASE%%/sbin/pkg_info"
 		else
-			PKG_INFO=/usr/sbin/pkg_info
+			PKG_INFO="/usr/sbin/pkg_info"
 		fi
 	fi
 
+	PKG_VERSION="${PKG_INFO%/*}/pkg_version"
+
 	if [ ! -x "${PKG_INFO}" ]; then
 		echo "${PKG_INFO} missing, please install port sysutils/pkg_install-devel"
 		return 1
@@ -155,6 +163,36 @@ audit_installed()
 	"
 }
 
+audit_cwd()
+{
+	if [ ! -r "Makefile" ]; then
+		return 1
+	fi
+
+	PKGSTATE=`/usr/bin/make -VPKGNAME -VFORBIDDEN -VPKGORIGIN 2>/dev/null || true"`
+	PKGNAME=`echo "${PKGSTATE}" | /usr/bin/sed -ne '1p'`
+	FORBIDDEN=`echo "${PKGSTATE}" | /usr/bin/sed -ne '2p'`
+	PKGORIGIN=`echo "${PKGSTATE}" | /usr/bin/sed -ne '3p'`
+
+	VLIST=`extract_auditfile | /usr/bin/awk -F\| " \
+		/^[^#]/ { \
+		if (!system(\"${PKG_VERSION} -T '${PKGNAME}' '\" \\$1 \"'\")) \
+			print \"- <\" \\$2 \">\" \
+		} \
+	"`
+
+	if [ -n "${VLIST}" -a -z "${FORBIDDEN}" ]; then
+		echo
+		echo "Port ${PKGNAME} (${PKGORIGIN}) should be marked FORBIDDEN:"
+		echo "${VLIST}"
+		VULCNT=$((${VULCNT}+1))
+	elif $opt_verbose && [ -n "${VLIST}" ]; then
+		echo
+		echo "Good: port ${PKGNAME} (${PKGORIGIN}) is marked FORBIDDEN: ${FORBIDDEN}"
+		echo "${VLIST}"
+	fi
+}
+
 fetch_locations()
 {
 	# site sort order is not overly smart
@@ -204,7 +242,6 @@ fetch_auditfile()
 			echo "fetched database corrupt."
 		elif ! checkexpiry_auditfile 7; then
 			echo "fetched database too old."
-			rc=0
 		else
 			echo "new database installed."
 			rc=0